OAuth vulnerability in using submitted authorization token for authentication
Pages 11
Clone this wiki locally
CVE ID
- CVE-2019-12300
Type
- Authentication vulnerability
- OAuth authorization token being used for user authentication
Schedule
- Reported: 7 May 2019
- Fix merged into master: 9 May 2019
- Fix in a release: 22 May 2019
Description
Buildbot accepted user-submitted authorization token from OAuth and used it to authenticate user.
Impact analysis
The vulnerability can lead to malicious attackers to authenticate as legitimate users of a Buildbot instance without knowledge of the victim's login credentials on certain scenarios.
If an attacker has an application authorized to access data of another user at the same Identity Provider as the used by the Buildbot instance, then he can acquire a token to access the data of that user, supply the token to the Buildbot instance and successfully login as the victim.
Versions vulnerable
Buildbot 0.9.5 to 1.8.1, 2.0.0 to 2.3.0 (inclusive)
Fixed versions
Buildbot 2.3.1 and 1.8.2
Mitigations and patches
Either of the following can be used to mitigate the vulnerability:
OAuth login can be disabled in Buildbot configuration.
Patch can be applied: https://github.com/buildbot/buildbot/pull/4763/files
Alternatively Buildbot can be upgraded to v2.3.1 or v1.8.2.
Credits
- Thanks to Phillip Kuhrt for finding and reporting this vulnerability responsibly.